raccoon | 080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9

Analysis

max time kernel
298s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 04:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe
Size

452KB
MD5

3e976b90e48e8991c01d99674dbd359d
SHA1

5eafcb5e3fb49b22c11322ac652f4efe4badcc1f
SHA256

080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9
SHA512

0ab1816b8d09f640d5299cf3e4d0fd0c30275a8f19a9563255e8738f15b2f07c50115c9c9eab470fa532150c89fe8c8f1778c4d43aa04736ff0d1c157ba29217
SSDEEP

6144:01fnu4ll8K8S17n0vfYqtvRV/ynbG6JMpKoQ/apBmnTeM:01fu438K51kfYqt7/ybG6E4wBqe

Score

10^/10

raccoon 4ddee039c3c1cb01baf0736505e3e436 stealer

Malware Config

Extracted

Family

raccoon

Botnet

4ddee039c3c1cb01baf0736505e3e436

http://94.131.106.24:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

raccoon

Attributes

user_agent
f

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015598-19.dat	family_raccoon_v2
behavioral1/memory/2556-27-0x0000000000320000-0x000000000036E000-memory.dmp	family_raccoon_v2
behavioral1/memory/2556-28-0x0000000000400000-0x0000000001A3C000-memory.dmp	family_raccoon_v2
behavioral1/memory/2556-37-0x0000000000400000-0x0000000001A3C000-memory.dmp	family_raccoon_v2
behavioral1/memory/2556-58-0x0000000000400000-0x0000000001A3C000-memory.dmp	family_raccoon_v2

Deletes itself 1 IoCs

pid	Process
3008	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2556	wfplwfs.exe
2628	2.3.1.1.exe

Loads dropped DLL 3 IoCs

pid	Process
2176	080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe
2556	wfplwfs.exe
2556	wfplwfs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2572	2556	wfplwfs.exe	37

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\d489d2ed762e8c43.job	wfplwfs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2500	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2572	rundll32.exe
2572	rundll32.exe
2572	rundll32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2556	2176	080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe	28
PID 2176 wrote to memory of 2556	2176	080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe	28
PID 2176 wrote to memory of 2556	2176	080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe	28
PID 2176 wrote to memory of 2556	2176	080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe	28
PID 2176 wrote to memory of 3008	2176	080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe	29
PID 2176 wrote to memory of 3008	2176	080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe	29
PID 2176 wrote to memory of 3008	2176	080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe	29
PID 2176 wrote to memory of 3008	2176	080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe	29
PID 2556 wrote to memory of 2628	2556	wfplwfs.exe	31
PID 2556 wrote to memory of 2628	2556	wfplwfs.exe	31
PID 2556 wrote to memory of 2628	2556	wfplwfs.exe	31
PID 2556 wrote to memory of 2628	2556	wfplwfs.exe	31
PID 3008 wrote to memory of 2500	3008	cmd.exe	32
PID 3008 wrote to memory of 2500	3008	cmd.exe	32
PID 3008 wrote to memory of 2500	3008	cmd.exe	32
PID 3008 wrote to memory of 2500	3008	cmd.exe	32
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37
PID 2556 wrote to memory of 2572	2556	wfplwfs.exe	37

C:\Users\Admin\AppData\Local\Temp\080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe
"C:\Users\Admin\AppData\Local\Temp\080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\2.3.1.1.exe
    C:\Users\Admin\AppData\Local\Temp\2.3.1.1.exe
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09

Filesize
812B

MD5
1c3527f8fe5a24623bdd6ad96bf602fd

SHA1
bc988ad300ca4d581a7056bf8c342377d72d7c73

SHA256
308de7da302d3ecf499b6c140b11fb3d9db0d3b9515d8fa3dd0ce4a65659266c

SHA512
5c54b19308985ed63ee59cda2260b8651a27a79c2864debd349092fbacc15ad9d3df309dbd3699684ebbc2751a8d5a6d8ac4e723c983a6272ae756ac58358d83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\index.html

Filesize
1KB

MD5
12cf60e57791e7a8bd78033c9f308931

SHA1
f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

SHA256
2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

SHA512
72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\logo.png

Filesize
2KB

MD5
561a5a310ac6505c1dc2029a61632617

SHA1
f267ab458ec5d0f008a235461e466b1fd3ed14ee

SHA256
b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

SHA512
4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png

Filesize
2KB

MD5
51f52201dfae0a6c86ffe79fa22043a5

SHA1
1d89ef81638a5584d2919cf18350979f891ba922

SHA256
89cc3050a87ede4eaa25aa01ad283420bf2a910daa369d8eb4511d45eaf3bfe4

SHA512
5ce4ece60781d52740fdbe5c4d978bb5ba29a56e7b7d5681e1fd84512874bd53e2081da652883961cc62dfaa23c1e9c7b5567e14848bf9c2c2fc570931620c8f

Download Submit
\Users\Admin\AppData\Local\Temp\2.3.1.1.exe

Filesize
80KB

MD5
1a4b749d66f83dd6fbc8f96b90cfd4f5

SHA1
6b3781ad094b2833df6f534e25ed7b929828366f

SHA256
90dea8f22e9858f2e345f3c499b5ef9c28c161eff15ec7c3cc75e74d0ee1fa89

SHA512
53cfc33f7c331672629558abd3f1d044f1d09c2878bd752431706833b6b061a971b204f76b7e199024c5318963a236471181d070a7f4c93986d58aa8bf5c50b8

Download Submit
\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
317KB

MD5
b1388b231c9bf35107e733dba56be104

SHA1
36ebebd87c71962b00042c97dd77c1343e3c4fbf

SHA256
9e31d166f6b78111a03981371cd530a2871a1cf97d3affeddaf5b269397c3295

SHA512
fd105884522e7b97c4b5b8cb400276b1d5077af77f547756cc7556733424e56f771ba7e5d6e25fbd4cf5c7e1683c9dc714275f93da6d8a8aba8cfc901aec4bcd

Download Submit
memory/2176-2-0x0000000000230000-0x0000000000295000-memory.dmp

Filesize
404KB

Download
memory/2176-5-0x0000000000400000-0x0000000001A5D000-memory.dmp

Filesize
22.4MB

Download
memory/2176-17-0x0000000000400000-0x0000000001A5D000-memory.dmp

Filesize
22.4MB

Download
memory/2176-1-0x0000000001B70000-0x0000000001C70000-memory.dmp

Filesize
1024KB

Download
memory/2556-27-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2556-37-0x0000000000400000-0x0000000001A3C000-memory.dmp

Filesize
22.2MB

Download
memory/2556-28-0x0000000000400000-0x0000000001A3C000-memory.dmp

Filesize
22.2MB

Download
memory/2556-26-0x0000000001B20000-0x0000000001C20000-memory.dmp

Filesize
1024KB

Download
memory/2556-58-0x0000000000400000-0x0000000001A3C000-memory.dmp

Filesize
22.2MB

Download
memory/2572-39-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2572-41-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2572-45-0x0000000003140000-0x00000000041A2000-memory.dmp

Filesize
16.4MB

Download
memory/2572-60-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads